Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options.

To see if you upstream relay expects passwords in clear, enable higher level logging by setting the following flags and reloading postfix. (Replace mailrelay.example.com with your relay name). This should increase what's logged for the smtp auth transaction. For more information read man 5 postconf.

The above link resolved issues, not using lemming commands and using the actual config files.

AT&T Yahoo DSL Specific

If outgoing mail is not being delivered and /var/log/mail.log shows:

(lost connection with smtp.att.yahoo.com while receiving the initial server greeting)

Some ISP's SMTP servers do not implement TLS properly on port 465 (AT&T Yahoo DSL in particular); mail clients handle this when making an SSL connection, however Postfix loses the server connection in this case. Port 587, the standard secondary SSL SMTP port, does work properly with TLS.

Beware, new wrinkle if using Yahoo!/AT&T DSL's outgoing SMTP. You MUST login to your Yahoo! webmail account once a year or the account is disabled. They take their sweet time reenabling it (as I'm finding out today) and your outgoing mail is bounced in the meantime.

Persistence across Zimbra restarts

In my experience with ZCS 6.0.2 the postconf commands did not stick across restarts which resulted in mail getting queued up or bounced for many hours before I noticed. After much frustration and Googling I discovered the answer is to use zmlocalconfig either instead of or in addition to postconf. Postconf & postfix reload will apply the settings immediately but not persist across restarts. zmlocalconfig requires a full Zimbra restart using 'zmcontrol stop' and 'zmcontrol start' or 'service zimbra restart'.